 |  |  |  |  |  |  |  |
Serious Virus won't even let me search for help . . .
 |
Hello everyone. I am new to this forum, and am pretty inept when it comes to computers. Even though I was using Trend Micro PC-cillin, I have gotten an extremely bad virus that I am having zero luck getting rid of. My sister also got the same thing, and the only website we both visited recently is the BBC5 website. I live in the U.S., but she was on a radio show when they were here, for what it matters.
Anyway, this is what has happened so far:
It started with a red circle with a white X in the task bar in the lower right by the clock. It seemed like it was the wrong size, and it kept popping up a message saying "You have been infected with Spyware. Download this patch. . ." I noticed there was a typo and a grammatical error so I was suspicious. I think I may have clicked on it, but the second the website came up I closed it.
While the pop-up was happening, I went to google, only to discover that every site went to an ad for antivirus09 or something to that effect. I noticed in the URL it said go.google. . . All search enginges are hijacked.
I then removed Trend Micro PC and installed Windows Live Onecare. This actually seemed to remove the pop-up issue. But, all search engines are still hijacked, and this virus is so insidious that it won't even allow me to access any pages where I can get help. I'm surprised I can even get on this forum.
Today I purchased Kaspersky Anti-Virus 2009, but I can't install it because apparently there is some bit of Windows Defender left, but I can't remove it, nor can I figure out how to do so. I found one link to Microsoft that's supposed to help you remove WD, but, the virus won't let me open the page.
I've tried unsuccessfully to download: hijackthis, Spyhunter, Spybotsd160, and Malawarebytes Anti-Malware. All of those except the hijackthis are on my desktop, but I can't get them to open. From what I've read on this forum and elsewhere, the Malaware thing should do the trick, but I can't get it to open.
And like I mentioned, any websites like bleepingcomputer.com, majorgeek.com, or even the Kaspersky homepage are blocked by this virus.
I really, really need help. I've got six years of programs on this computer, and I would really prefer to not have to reformat. And like I mentioned, I'm pretty inept at computer stuff, so go easy on me! As it is, I've spent several days trying to figure this out on my own, and I'm at my wit's end. I spent at least 7 hours today alone trying to restart, go into safemode, reboot, research, get people to look things up on their computers, etc, etc, etc, etc.
Thank you in advance for any assistance.
Anyway, this is what has happened so far:
It started with a red circle with a white X in the task bar in the lower right by the clock. It seemed like it was the wrong size, and it kept popping up a message saying "You have been infected with Spyware. Download this patch. . ." I noticed there was a typo and a grammatical error so I was suspicious. I think I may have clicked on it, but the second the website came up I closed it.
While the pop-up was happening, I went to google, only to discover that every site went to an ad for antivirus09 or something to that effect. I noticed in the URL it said go.google. . . All search enginges are hijacked.
I then removed Trend Micro PC and installed Windows Live Onecare. This actually seemed to remove the pop-up issue. But, all search engines are still hijacked, and this virus is so insidious that it won't even allow me to access any pages where I can get help. I'm surprised I can even get on this forum.
Today I purchased Kaspersky Anti-Virus 2009, but I can't install it because apparently there is some bit of Windows Defender left, but I can't remove it, nor can I figure out how to do so. I found one link to Microsoft that's supposed to help you remove WD, but, the virus won't let me open the page.
I've tried unsuccessfully to download: hijackthis, Spyhunter, Spybotsd160, and Malawarebytes Anti-Malware. All of those except the hijackthis are on my desktop, but I can't get them to open. From what I've read on this forum and elsewhere, the Malaware thing should do the trick, but I can't get it to open.
And like I mentioned, any websites like bleepingcomputer.com, majorgeek.com, or even the Kaspersky homepage are blocked by this virus.
I really, really need help. I've got six years of programs on this computer, and I would really prefer to not have to reformat. And like I mentioned, I'm pretty inept at computer stuff, so go easy on me! As it is, I've spent several days trying to figure this out on my own, and I'm at my wit's end. I spent at least 7 hours today alone trying to restart, go into safemode, reboot, research, get people to look things up on their computers, etc, etc, etc, etc.
Thank you in advance for any assistance.
•
•
Join Date: Feb 2004
Posts: 9,920
Reputation: 
Solved Threads: 709
Hi and welcome to the Daniweb forums 
.
==========
Rename hijackthis to analysethis and try running it again.
.==========
Rename hijackthis to analysethis and try running it again.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
When you say to rename it, do you mean in the URL or when it's actually on your computer? That was one of the ones where I couldn't even open the page. Do you have a link to a site for it?
Oh, and I forgot to mention that I'm encountering these errors when I'm trying to deal with antivirus programs where it's basically telling me I'm not connected to the Internet, when clearly I am.
I just tried to reinstall the Trend Micro PC program so I have some protection in the meantime, but now apparently it's incompatible with my version of Windows XP, and then when I tried to to do an update through the control panel, it said something to the effect that it wasn't able to access the server.
Oh, and I forgot to mention that I'm encountering these errors when I'm trying to deal with antivirus programs where it's basically telling me I'm not connected to the Internet, when clearly I am.
I just tried to reinstall the Trend Micro PC program so I have some protection in the meantime, but now apparently it's incompatible with my version of Windows XP, and then when I tried to to do an update through the control panel, it said something to the effect that it wasn't able to access the server.
•
•
Join Date: Feb 2004
Posts: 9,920
Reputation:
Solved Threads: 709
I have renamed it and uploaded it for you. Download it from the attachment below.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Thanks! I was able to open that with no trouble! I'll do a scan when I get back in a little bit. Should I post the results here?
Also, from what I've read, it sounds like MalwareBytes Anti-Malware program has been the key to beating this virus. Of course, I can't open it because of the virus, but I hear that it's possible to rename the exe file to trick the virus into allowing it to open.
Do you know how to rename it? Or, if it's not too much of a hassle, to do another one of those zip files? I was going to try to download it at my parent's house and burn it onto a CD, but they have an Apple, and I couldn't figure out how to burn it onto a CD, and I don't even think it was compatible on their computer to begin with. My next step is to try and rename the file (if I can figure out how to do it), or go buy a flash drive and try to transfer it that way.
And thank you so much for helping!
Also, from what I've read, it sounds like MalwareBytes Anti-Malware program has been the key to beating this virus. Of course, I can't open it because of the virus, but I hear that it's possible to rename the exe file to trick the virus into allowing it to open.
Do you know how to rename it? Or, if it's not too much of a hassle, to do another one of those zip files? I was going to try to download it at my parent's house and burn it onto a CD, but they have an Apple, and I couldn't figure out how to burn it onto a CD, and I don't even think it was compatible on their computer to begin with. My next step is to try and rename the file (if I can figure out how to do it), or go buy a flash drive and try to transfer it that way.
And thank you so much for helping!
•
•
Join Date: Feb 2004
Posts: 9,920
Reputation:
Solved Threads: 709
If you post the hijackthis log here we may be able to delete the files that are stopping MBAM from running.
To rename the file though, just right click on it and select rename and call it whatever and then hit the enter button.
I have not heard of that being done with MBAM, but it should be possible.
To rename the file though, just right click on it and select rename and call it whatever and then hit the enter button.
I have not heard of that being done with MBAM, but it should be possible.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Okay, so here's an update on what I've done:
I went through my add/remove list using a list of programs that should be removed, and discovered that I had spywarebot, which as most people by now probably know is bad, and that spybot is the good program. I installed that over a year ago. It has now been removed.
I renamed the Malware program to eatthis (clever, I know), and it opened no problem. I did a scan, it found some stuff, and I deleted it. I was hoping that that was the end of it. I restarted the computer, and discovered that google is still being hijacked.
I was able to run the spyhunter program that found some incriminating looking stuff, but when I tried to delete them, I was told I had to pay for the full version. Sorry, I fell for that with spywarebot already, so bye bye, it's now off my system.
I then tried to open the spybotsd program, but I get an error that says a connection to the server cannot be made, so it won't open.
Oh, and then when I restarted my computer, I noticed to my dismay that google was taking over as the homepage again.
Also, when the computer starts up, I get an error regarding SPRTCMD.EXE and about something missing and the error also mentions LIBEAY32.DLL Any idea as to what that is all about?
And lastly, I ran the hijackthis, and will cut and paste the log below. I looked through it, and while I don't understand most of it, I did see quite a few things that I thought were long gone, such as the earthlink accelerator, which I cannot find in the add/remove list, so I'm not sure how to get rid of these things.
I'm sorry if this is an overload of information, but I just want to be as complete as I can in the steps I have taken in the event that reveals anything that could help.
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:29 AM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Charlie Kierscht\Desktop\New Folder\Analysethis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O1 - Hosts: 5377608764 www.selfbookmarks.com
O1 - Hosts: 5377608764 www.selfbookmarks.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 8378 bytes
Please let me know if I need to insert the log in a different fashion or if this is okay, and again, thanks so much for your help!
I went through my add/remove list using a list of programs that should be removed, and discovered that I had spywarebot, which as most people by now probably know is bad, and that spybot is the good program. I installed that over a year ago. It has now been removed.
I renamed the Malware program to eatthis (clever, I know), and it opened no problem. I did a scan, it found some stuff, and I deleted it. I was hoping that that was the end of it. I restarted the computer, and discovered that google is still being hijacked.
I was able to run the spyhunter program that found some incriminating looking stuff, but when I tried to delete them, I was told I had to pay for the full version. Sorry, I fell for that with spywarebot already, so bye bye, it's now off my system.
I then tried to open the spybotsd program, but I get an error that says a connection to the server cannot be made, so it won't open.
Oh, and then when I restarted my computer, I noticed to my dismay that google was taking over as the homepage again.
Also, when the computer starts up, I get an error regarding SPRTCMD.EXE and about something missing and the error also mentions LIBEAY32.DLL Any idea as to what that is all about?
And lastly, I ran the hijackthis, and will cut and paste the log below. I looked through it, and while I don't understand most of it, I did see quite a few things that I thought were long gone, such as the earthlink accelerator, which I cannot find in the add/remove list, so I'm not sure how to get rid of these things.
I'm sorry if this is an overload of information, but I just want to be as complete as I can in the steps I have taken in the event that reveals anything that could help.
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:29 AM, on 11/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Charlie Kierscht\Desktop\New Folder\Analysethis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O1 - Hosts: 5377608764 www.selfbookmarks.com
O1 - Hosts: 5377608764 www.selfbookmarks.com
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 8378 bytes
Please let me know if I need to insert the log in a different fashion or if this is okay, and again, thanks so much for your help!
•
•
Join Date: Feb 2004
Posts: 9,920
Reputation:
Solved Threads: 709
Ok. First things first. I am a stickler for ppl following only the instructions given. Although it is good that you have indicated everything you have done, doing things that are not requested can create a lot of confusion for the helper (namely me).
If you can stick to just what I request you do, I would appreciate it. You can run all the programs you wish once we are finished.
Deal?
====
Can you please do the following.
===============
Scan with HijackThis and then place a check next to all the following, if present:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
If you can stick to just what I request you do, I would appreciate it. You can run all the programs you wish once we are finished.
Deal?
====
Can you please do the following.
===============
Scan with HijackThis and then place a check next to all the following, if present:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log.
Please post the SDFix log within CODE Tags.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Will do. And I promise, I'll follow only what you say from now on! I was just hellbent on trying to figure this thing out, but, I'm not doing such a good job. And as usual, I'll probably just make it worse if I keep it up! So I'll print out your instructions and follow them exactly. I'll try to do it tomorrow afternoon (Friday).
Thanks!
Thanks!
•
•
Join Date: Feb 2004
Posts: 9,920
Reputation:
Solved Threads: 709
lol. It's already Friday afternoon here. 6.22 PM to be exact
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- Help!! email virus on entourage (OS X)
- internet explorer / virus problem here (Viruses, Spyware and other Nasties)
- more "home search assistent" fun... (Viruses, Spyware and other Nasties)
- 100% CPU Usage - No Virus, No gaming (Windows NT / 2000 / XP)
- My Computer is Lagging. (Windows NT / 2000 / XP)
- Do I have a virus? (Windows NT / 2000 / XP)
- Computer Locking Up when Access Inet via IE (Web Browsers)
- are the files wowexec.exe and opware16.exe a virus (Windows NT / 2000 / XP)
- My auto virus scan just went off (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Virus, Trojan, spyware or all three? Any help is much appreciated!!!
- Next Thread: System freezing up.. please help
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday